The encryption of Windows Azure Media Services

Windows Azure Media Services provides additional security protection for videos assets. The video asset uploading to Windows Azure Media Services can be encrypted using ECB algorithm. The entity used in Windows Azure Media Services is ContentKey, which stores X.509 encrypted ECB key. There are several common questions for the encryption system for Windows Azure Media Services, I am trying to answer them in this post. 

a. Why do we need another encryption mechanism, is the connection already secure?

The connection between the client and server in Windows Azure Media Services is protected via https protocol. However, https protocol is not absolutely secure, in particular, if the https traffic is hijiacked from the very beginning, hackers should be able to decrypt all the subsequent traffic. 

b. Why do we need two keys, ECB and RSA? What do they do each? Can we just use one?

ECB algorithm is used to encrypt and decrypt the video. ECB is a very fast encryption algorithm which uses the same key to perform encryption and decryption. If we only use ECB to encrypt the video asset, we also need to send the ECB key from client to the server, if the hacker hijack the ECB key, he will be able to decrypt the traffic and fake the client. To prevent this from happening, an asymetric encryption algorithm RSA is used to provide further security for assets. The key for RSA protocol in Windows Azure Media Services is called ProtectionKey. A protection key contain a public key and a private key, the private key never be released to the client. By calling get protection key ID method, client can obtain the ID of the protection key that is in use for the specified protocol. Another call of get protection key method will return the public key of the RSA key. When the client obtain the public key, the client can use the public key to encrypt the ECB key and send the encrypted ECB key as content key to server. Because only Windows Azure Media Services has the private key, even if the hacker hijack the traffic in between, it still cannot decrypt the ECB key from the content key. As a result the security of the video asset get protected.